Safe and sound: How AVI Medical stays privacy compliant

One of the fastest-growing start-ups in Germany

Avi Medical is a GP practice with an ambitious mission: combining top class medical treatment and technology to provide the best possible care. After successfully securing Series A funding in 2021, the team’s eyes are now set on further digitising their business and expanding rapidly, beginning with opening practices in new locations around Germany. Being a high-growth company means spinning lots of plates, but privacy is something Avi Medical has always known to be important to focus on from the start. “In the healthcare industry, you handle a lot of sensitive data. For us, protecting our patient’s data is of upmost importance. It’s an essential part of how we build trust,” explains Dr. Christoph Baumeister, Avi Medical’s Founder & CPO.

Getting privacy right from the get-go

Thanks to their privacy audit, the team also have a complete set of data privacy documentation in place and are working through their list of privacy to-dos. “The outcome of the audit has given us absolute peace of mind: we now have a complete set of compliance documentation that is always up-to-date and ready for use. The team at DataGuard also checks in with us on our privacy to-dos and offer their support. This approach has totally operationalised our privacy,” says Dr. Baumeister.

With so much high-risk data being processed, from health scores to medical records, Avi Medical and DataGuard must account for every single detail. “MedTech is a heavily regulated industry, which makes working with a business like Avi Medical very dynamic and engaging. Such projects require a precise approach since special categories of a patient’s personal data is involved,” explains Wojciech Kleta, one of DataGuard’s in-house experts. “Our projects range from short to long term: from answering daily privacy queries and ad-hoc requests, all the way to helping the team ensure that their ambitious digitalisation plans are fully compliant.”

Compliance doesn’t have an “off” switch

Running a medical practice as well as an app comes with many challenges. Avi Medical have three different privacy policies to maintain – one for their website, one for their app, and another for patients who book appointments inside the practice. The team used DataGuard’s Privacy Policy Generator to help create these, and with the help of their expert, they can always keep them up to date. For a company like Avi Medical, creating a privacy policy is not a once-off job: every update that involves processing patient data in some way involves a corresponding update to the policy. Avi Medical are split into two entities: the mother company and the practice holding. As such, DataGuard helped to draft a Joint Controllership Agreement (JCA) for the two entities. This contract essentially outlines the legal basis for the two companies to share and process the same data. Avi Medical’s plan to expand to new cities also presents privacy challenges. The team needed to put structures in place to allow the same patient to visit their practices in different cities. For this, patient records need to be shared between different branches. Working together with Avi Medical’s attorneys, DataGuard’s experts have now put the legal consents in place to make this possible.

Looking ahead: ready for any new challenges

DataGuard is working with Avi Medical’s team to support with their digitisation plans. A key aspect of this is checking various Data Processing Agreements (DPAs). This ensures that patient data will be protected by any other companies Avi Medical works with. Another key project has been performing a data privacy impact assessment (DPIA). This document was essential to understand the status quo and whether there were any existing risks that needed to be addressed.

All in all, Dr. Baumeister feels that the team has found the right partner to support Avi Medical for any compliance topics as they expand: “With our digital approach combining online appointments with a healthcare app, we needed a partner that really understands our technical needs. With DataGuard, we have found a partner that speaks our language and helps us with pragmatic advice regarding everything data privacy and information security.”